NGINX caching proxy fails with SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Question

NGINX acting as a caching proxy encounters problems when fetching content from CloudFront server over HTTPS:

This is the extract from the NGINX\'s error log:

Answer 1

I had the exactly same problem and spent a couple of hours... I guess you are using older version of nginx (lower than 1.7)? In nginx 1.7 you can use this directive:

proxy_ssl_server_name on;

This will force nginx to use SNI Also, you should set the SSL protocols:

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

For earlier versions you may be able to use this patch (but I can't verify that that is working):

http://trac.nginx.org/nginx/ticket/229

2019 Update: You should avoid TLSv1 and TLSv1.1 and disable them if possible. I'll leave them in the answer as they are still valid for SNI.